Network and Storage Protocols

Restrict CIFS shares by one of the IP address of a filer


Hi all,


I would like to know if there is a way to do this :

- Add many IP adresses to a filer. Each IP from different VLANs

- Create cifs shares or NFS exports only accessible  from one of theses adresses.


My idea is to

- Create a rule on the firewall to allow trafic between as set of Windows or Linux servers to oneof the IP adresses of the filer

- Allow data acces from this IP adress to a set of server on the filer.


I take a look at DOT 9 documentation and it seems an export policy  may restrict access to qtree to a set of servers.

But I did not see that the IP used by the filer can be set too in a rule.



The only alternative should to create a SVM for each IP, but it's not very convenient












I do have one issue - if you can also help.

We have one SVM that has two cifs shares vol (one prod vol, one test vol) and requester has given 10 IPs for client access (export).

The requirement is to allow 5 IPs to test volume and 5 IPs to Prod volume so that If same user login from test server can only access or map test share not prod. 

Action is been done- In the Prod vol export rule I have only allowed 5 IPs (prod) but other IPs (5 test IPs) are still able to access and map the prod share. How can I limit these IPs not to access my prod shares?


its possible to restrict the NAS protocol to restrict to a range or IP or a single IP


here is some example.


To Setup NFS Read-Write Access for the Client with IP Address, Use the following Export-Policy Rule.

::> vserver export-policy rule create -vserver nfs01 -policy nfspolicy -ruleindex 1 -protocol nfs -clientmatch -rorule sys -rwrule sys

To Setup CIFS Read-Write Access for the Client with IP Address, Use the following Export-Policy Rule.

::> vserver export-policy rule create -vserver cifs01 -policy cifspolicy -ruleindex 1 -protocol cifs -clientmatch -rorule ntlm,krb5 -rwrule ntlm,krb5

Hope that help..




Thank you for your answer. But it does not answer to my needs :

To be more precise, I would like to be able to

- restrict CIFS share A to subnet

- restrict CIFS shares B to subnet

- restrict NFS export C to subnet (in addtion of the exports file settings)

- restict NFS export D1 and  CIFS share D1 on the same data to subnet







Did you ever get an answer for this?




For what the original poster is looking at - having a share only accessable on one of the systems' IP addresses, and not others, the best option is to create multiple SVMs - each will have its own AD account and can have totally seperate domain auth as well as IP ranges.

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.